Preventing fraud

We recently got a lot of invoices from sites all over the web, even from sites located outside of Sweden. Someone was mirroring our site using iframes and a similar domain name to ours. All mail to the bogus domain went to the attacker but we still received the web traffic. So when these web-shops went to double check the website of the fake domain to see if it was real, it appeared to be.

First activate the header module:

# a2enmod headers

This can be added to a specific sites .htaccess

<IfModule mod_headers.c>
    Header set X-Frame-Options "sameorigin"
</IfModule>

In Debian you can modify all your virtual hosts in the file “/etc/apache2/conf-available/security.conf” and uncomment the following:

Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"

The above only works on newer browsers, for backwards support we can fall back on javascript. Put this on top of your index.php, header.php or whatever file loads first on your site. Now remember that there are ways to get around this!

<script>
    if (window!=top) { 
        top.location.href='hijack.php'; 
    }
</script>

Your hijack.php script could look something like this:

<?php
    echo "Possible Fraud! Your IP has been logged: " .$_SERVER['REMOTE_ADDR']. "<br>";
    file_put_contents('hijack.log',date("Y-m-d h:i:sa")." - ".$_SERVER['REMOTE_ADDR']."\n", FILE_APPEND);
?>

The latest recommendation from The Open Web Application Security Project (OWASP) is to include the following code first thing in your page. It basically does the same as my above solution.

<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>

Published by Nimpen J. Nordström

System Developer and Network Security Enthusiast

Leave a comment

Your email address will not be published. Required fields are marked *